On 2014-11-11 08:26:30 +0800 (+0800), Thomas Goirand wrote: [...] > We then better have just an OpenStack keyring, just like there's a > Debian developer keyring, on which we delegate the trust to some > kind of organization (but this needs to be used for something...). [...]
I've been putting together a plan to verify tag signatures against a keyring within our release automation (primarily for the benefit of proving a chain of custody when release artifacts are re-signed by our infrastructure). While this doesn't necessarily require a strong correlation in our web of trust, any human processes which grow up around the automation have a potential to benefit from one. > We use that time so we can gather in small groups of people that > we don't know, and take the time to present ourselves to others, > and tell what we do, who we are, etc. [...] This not only makes for a stronger web of trust, but also a stronger community in general. However, it's not strictly necessary to have a time organized across the entire project to engage one another in intimate groups. -- Jeremy Stanley _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
